Spammers abuse Google Forms quizzes by exploiting the “Release scores” feature to deliver emails from Google’s servers, increasing the likelihood they reach victims’ inboxes. Cisco Talos notes a recent spike in these campaigns, including elaborate cryptocurrency scams that steer victims to fake sites after interacting with a quiz.
Keypoints
- Spammers abuse Google Forms quizzes by using the “Release Scores” feature to deliver emails to victims.
- Emails originate from Google’s own servers, improving chances of landing in the inbox and bypassing some protections.
- Campaign volume has risen from near-noise levels to hundreds of messages.
- Attackers configure a Google Form quiz to collect recipient emails and then send customized score-release emails.
- Response workflows let attackers present fake quiz results and direct victims to additional phishing pages and external sites (e.g., go-procoinwhu.top and dudicyqehama.top).
- A multi-step cryptocurrency scam uses a fake login site, fake group chat, and social engineering to extract personal data and payment via an “exchange fee.”
MITRE Techniques
- [T1566.003] Phishing via Service – The attack leverages Google Forms’ quiz and score-release mechanism to deliver phishing emails from Google’s infrastructure. “[The message delivered as part of the email can be customized to include any text or URL, and the message will then be delivered by Google using the ‘From:’ address of the Google account that created the quiz.’]”
- [T1566.002] Phishing: Spearphishing Link – Victims are guided from the quiz interaction to further phishing steps, including a link to another Google Form to confirm email and then to a third-party site. “[Clicking the ‘View’ on a ‘Scores released:’ spam directs the victim to the spammer-generated form response.]” The campaign also uses a link text such as “>>> GO TO THE SITE” to drive victims to malicious content.
Indicators of Compromise
- [Domain] – go-procoinwhu.top, dudicyqehama.top
Read more: https://blog.talosintelligence.com/google-forms-quiz-spam/